File Integrity Monitoring is a security control that many organizations build their cybersecurity programs around. In a few words, FIM a technology that monitors and detects changes in files that may indicate a cyberattack. When we are talking about maintaining the integrity of a Windows file system, File Integrity Monitoring is applied to ensure no unauthorized changes are made to files, folders or configuration settings.
Most FIM solutions use a cryptographic hash value, calculated for each file, to detect changes. This provides a unique ‘DNA fingerprint’ for each file, generated using a secure hash algorithm such as MD5, SHA1, SHA256 or SHA512.
What should FIM cover?
The monitoring approach needs to cover all file and folder attributes, including the file or folder properties (and in particular the security and permissions) as well as the file contents or composition.
It is also necessary to monitor Windows Registry hives, keys, and values as Windows configuration settings are controlled via Registry entries.
In this way, all significant configuration attributes can be audited for compliance and tracked for changes – installed updates and programs, local user accounts, and the local security and audit policies, which cover everything from the screensaver being used through BitLocker and Windows Firewall settings.
Which Windows files and folders should be tracked?
On a Windows system, file integrity monitoring should be applied to at least the Program Files, Program Files (x86), System 32 and SysWOW64 (operating system files, exe, driver, and DLL files). Applying FIM to the Windows System Drive C:\Windows is also a legitimate approach but as ever, the broader the reach of the monitoring net, the more false positives that will need to be managed.
To this end, it will be necessary to then exclude any files that are known and expected to change regularly, such as live log and database files, for example, C:\Windows\Logs. This ensures that the ‘noise’ from the regular activity is removed and therefore providing a focus on irregular, unexpected changes.
How often should Windows File Integrity checks be made?
Security compliance standards such as the PCI DSS mandate the need to run weekly file integrity checks. However, this weekly period has been determined not because this is necessarily sufficiently frequent to prevent a serious data security breach, which it isn’t.
In fact, the weekly period was derived more as a compromise between the need for frequent FIM checks being balanced against the (traditionally) high resource loads placed on a server during the repeated inventory or baseline process as discussed earlier.
However, with security breaches being so potentially damaging within days or even hours, the need for prompt detection is paramount, therefore any delay to detection may prove costly.
Real-time file integrity monitoring, with continuous detection, should be the minimum level of expectation in order to counteract contemporary cyber security threats.
If this information is helpful to you read our blog for more interesting and useful content, tips and guildelines on similar topics. Contact the team of COMPUTER 2000 Bulgaria now if you have a specific question. Our specialists will be asiisting you with your query.
Content curated by the team of COMPUTER 2000 on the bases of marketing materials provided by our partners/vendors.
Follow us to learn more
CONTACT US
Let’s walk through the journey of digital transformation together.